Hi Fraser,We did use the command twice. Once to generate the CSR and a second time to to supply the new certificates.I'll check with our security agent if I may supply the certificates. I'm afraid I may not supply them because of the firm security policies.Kind regards,wim vinckier.On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <firstname.lastname@example.org> wrote:On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users wrote:
> Hi All,
> We are using our own (selfsigned) root CA for our installations. We just
> started to use ipa and after exploring the possibilities we want to switch
> to the root CA we normally use. According to  it should be done using
> these instruction . When we tray to renew the certificate we get this
> [root@ipa ~]# ipa-cacert-manage renew
> Importing the renewed CA certificate, please wait
> CA certificate chain in /root/Certificate_Authority.pem, root.cert is
> incomplete: missing certificate with subject 'CN=Example SCRL'
> The ipa-cacert-manage command failed.
> When we check the subject of the file, it seems to be correct to me:
> [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
> subject= /CN=Example SCRL
> Is there anyone who can help me with this?
> Kind regards,
> wim vinckier.
Did you first run `ipa-cacert-manage renew --external-ca` to
generate the CSR for submission to the new CA. Then you invoke
`ipa-cacert-manage renew` a second time, supplying the new IPA CA
certificate and superior CA certificate(s) via the
If you did these steps, then please convey your certificates so we
can inspect them and determine what the problem is.
--I would love to change the world, but they wont give me the source code.